DemandMatrix Privacy Notice Effective Date: March 2021 Introduction DemandMatrix, Inc. collects and processes your personal information in accordance with this privacy policy. This policy provides you with information regarding our obligations and your rights in compliance with the General Data Protection Regulation (GDPR). By using the DemandMatrix website, you consent to the data practices described in this statement. Information That We Collect From You Information that you provide to us directly might include personal information such as your name, email address, telephone number and other personal details. The information so collected will be stored on our servers. You are able to change your personal information via email by contacting us at privacy@demandmatrix.com. We may also collect non-personal information that may identify you such as location, IP address, browser type, information about your internet connection, operating system, and other details about the device you are using. WE DO NOT SELL YOUR PERSONAL INFORMATION, NOR DO WE INTEND TO DO SO. WE DO NOT GIVE ACCESS TO YOUR PERSONAL INFORMATION TO THIRD PARTIES EXCEPT TO SUB-PROCESSORS TO ASSIST US IN THE PROVISION OF OUR SERVICES TO YOU How We Use Your Personal Data We use your personal data to provide our services or products to you. Where you have consented we may also use your information to send you promotional offers and marketing. You are free to withdraw this consent at any time.We respect your privacy at all times. Your information will never be disclosed or shared with others without your consent, unless required to do so by law or where we believe disclosure is necessary to prevent or respond to fraud, defend our websites or Services against attacks, or protect our property and security, or our customers and users. Sharing or Disclosing Your Personal Data Whilst we will never disclose or share your data with others without your consent, we use third-party processors to provide our services; these companies will process or store your information on our behalf. We use the following third parties that may process your personal information: – We use Google for hosting, storage, email services, and analytics. For more information about Google, please read their privacy policy at https://privacy.google.com/ – We use Hubspot for customer relations management and marketing automation. For more information about Hubspot, please read their privacy policy at https://legal.hubspot.com/privacy-policy – We use Mouseflow to provide session heatmaps. For more information about Mouseflow, please read their privacy policy https://mouseflow.com/privacy/ – We use Heap Analytics to provide analytical services. For more information about Heap Analytics please read their privacy policy at https://heapanalytics.com/privacy We ensure all processors acting on our behalf act in accordance with this privacy notice. Your Rights Under GDPR you have the right to access personal information that DemandMatrix, Inc. processes about you. You can request from us information about – The personal data we hold about you The categories of personal data concerned The purposes of the processing Details to whom your personal data has/will be disclosed How long we retain your personal data If we did not collect the data directly from you, information about the source You may also request from us the following: 1. That we update any incomplete or inaccurate data about you 2. Request that we delete your personal data in accordance with GDPR. You may action your rights by contacting us at DemandMatrix, Inc. 10373 Menhart Ln, Cupertino, CA-95014, USA or by emailing us at privacy@demandmatrix.com To ensure your data is protected, if we receive a request from you to exercise your rights, we will ask you to verify your identity before acting on the request. International Transfers Your personal data may be processed outside the EU by us or the third parties we use. Your personal data may be processed in the USA by our processors. We also have an office in Kharadi India, where personnel may access data from. At no time is the data stored in India; it remains on the USA servers at all times. If you are visiting our Web site or registering for our Services from outside the United States, be aware that your Personal Information may be transferred to, stored, and processed in the United States. Our servers or our third-party hosting services partners are located in the United States. By using our site, you consent to any transfer of your Personal Information out of Europe, UK, or Switzerland for processing in the US or other countries. We will comply with the EU Standard Contractual Clauses with respect to the transfer of Personal Data from the EU to the US for processing. If there is any conflict between the terms and conditions in this Privacy Policy and your rights under the EU Standard Contractual Clauses, the terms and conditions in the EU Standard Contractual Clauses will govern. For the purposes of this Privacy Policy, “EU Standard Contractual Clauses” mean the standard contractual clauses for the transfer of personal data to processors established in the US. (Commission Decision 2010/87/EC). I. Obligations of the data importer (processors) The data importer agrees and warrants: (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; (c) that it has implemented the technical and organizational security measures before processing the personal data transferred; (d) that it will promptly notify the data exporter about: o any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, o any accidental or unauthorized access, and o any request received directly from the data subjects without responding to that request unless it has been otherwise authorized to do so; (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; (f) at the request of the data, exporter to submit its data processing facilities for an audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority; (g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter; (h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent; II. Obligations of the data exporter The data exporter agrees and warrants: (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State; (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses; (c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures; (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation; (e) that it will ensure compliance with the security measures; (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; (g) to make available to the data subjects upon request a copy of the Clauses, with a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information; and (h) that, in the event of sub-processing, the processing activity is carried out in at least the same level of protection for the personal data and the rights of the data subject as the data importer under the Clauses. III. Liability (a) The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred above by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered. (b) If a data subject is not able to bring a claim for compensation in accordance with paragraph a against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to above, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. (c) If you are a resident of or a visitor to Europe, you have certain rights with respect to the processing of your Personal Data, (referred here as Personal Information), as defined in the GDPR. (d) Please note that in some circumstances, we may not be able to fully comply with your request, or we may ask you to provide us with additional information in connection with your request, which may be Personal Information, for example, if we need to verify your identity or the nature of your request. (e) In such situations, however, we will still respond to let you know of our decision. As used herein, “Personal Information” means any information that identifies you as an individual, such as name, address, email address, IP address, phone number, business address, business title, business email address, company, etc. (f) To make any of the following requests, please contact us (i) via email at privacy@demandmatrix.com, or (ii) by writing to us at DemandMatrix, Inc. 10373 Menhart Ln, Cupertino, CA-95014, USA. Access: You can request more information about the Personal Information we hold about you. You can also request a copy of the Personal Information. Rectification: If you believe that any Personal Information we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. Please contact us as soon as possible upon noticing any such inaccuracy or incompleteness. Objection: You can contact us to let us know that you object to the collection or use of your Personal Information for certain purposes. Erasure: You can request that we erase some or all of your Personal Information from our systems. Restriction of Processing: You can ask us to restrict further processing of your Personal Information. Portability: You have the right to ask for a copy of your Personal Information in a machine-readable format. You can also request that we transmit the data to another entity where technically feasible. Withdrawal of Consent: If we are processing your Personal Information based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, it may limit your ability to use some/ all of our Services or Platform and you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Information if such use or disclosure is necessary to enable you to utilize some or all of our Services and Platform. Right to File Complaint: You have the right to lodge a complaint about our practices with respect to your Personal Information with the supervisory authority of your country or EU Member State. Please go to https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm to locate your Data Protection Authority. Response. We will respond to your inquiry within thirty (30) days of the receipt. For Our Canadian Users This Section supplements the information contained in our Privacy Policy above and applies solely to all visitors, users, and others to our Website or Platform, who reside in Canada (“consumers” or “you”). We ensure with the Personal Information Protection and Electronics Document Act of 2000 (“PIPEDA”) and any terms defined in the PIPEDA have the same meaning when used in this Section. Definition of Personal Information. Any information about an identifiable individual. Whatever may be the physical form or characteristics of a particular regime for “business contact information” (name, position, title, address, professional phone number, etc.) Right to Access Personal Information. You can request to access your personal information we hold about you. We will first confirm whether you have requested such information, explain how we have used your information, provide a list of names with whom your information has been shared and provide a copy of your information in an accessible format and make alternative formats available if requested. Right to Correction/Limited Right to Deletion. You can request us to correct or delete your information IF you demonstrate that the personal information we hold on you is inaccurate. We will delete or correct your information within thirty (30) calendar days. When we delete/correct your personal information we will inform the third parties with whom we have shared your information. Right to be Forgotten. Your information will be kept with us for as long as it is required for the fulfillment of the purposes of DemandMatrix, Inc. platform. Unless we otherwise give you notice, we will retain your Information on the DemandMatrix, Inc. Platform on your behalf until such times as you or we terminate your User Account. Data Breach Notification. We will send a notification to you as soon as feasible regarding the information of any breach that creates a “real risk of significant harm” to you. We keep a record of every data breach and, on request, provide the Office of the Privacy Commissioner with access to the record. Canadian Privacy Officer. We have appointed a Canadian Privacy and Data Protection Officer, Nischal Vohra, nischal@demandmatrix.com, to make sure the privacy rights of our Canadian users are protected in compliance with PIPEDA. Two Factor Authentication. You may enable two-factor authentication on your account to help ensure that only you can access your account. If you do, in addition to entering your password to log in to your account to access the DemandMatrix, Inc. Platform, we will send a code to your mobile number, which you will need to enter. This added security prevents anyone else from accessing your DemandMatrix, Inc. account unless they have access to your login information. Contact Information. You may contact us (i) at [Email ID], or (ii) by writing to us at Privacy Officer, at DemandMatrix, Inc. 10373 Menhart Ln, Cupertino, CA, 95014 USA to (i) make a Personal Information Request, (ii) correct or delete your personal information, (iii) discuss our Privacy Policy and/or anything that has to do with it. We will respond within thirty (30) calendar days of receiving such a request or query. Additionally, in order for us to respond to your request or query, we will need to collect information from the requesting party to verify their identity. How Long We Retain Your Data DemandMatrix, Inc. only retains personal information for as long as is necessary. For further details on our data retention periods please contact us at privacy@demandmatrix.com.Where you have consented to us to use your details for direct marketing, we will keep this data until you notify us or otherwise withdraw your consent. Children We do not knowingly collect Personal Data from children under the age of 13. If you are under the age of 13, please do not submit any Personal Data through our Services. Our Website is not meant for use by children under the age of 13. Our Website does not target children under the age of 13, but we do not age-screen or otherwise prevent the collection, use, and personal disclosure of persons identified as under 13. If you learn that a minor child has provided us with personal information without your consent, please contact us at privacy@demandmatrix.com Links to Other Web Sites Our services may contain links to other websites not controlled or operated by DemandMatrix, Inc. These links do not imply that we endorse these third-party sites. We recommend reviewing those sites directly for information on their privacy policies. Cookies A ‘cookie’ is a small text file sent from a website and stored on the user’s computer by the user’s web browser. Upon visiting a site that uses cookies, a cookie is downloaded onto your computer or mobile device. The next time you visit that site, your device will remember useful information such as preferences, visited pages or logging in options. Cookies are widely used to add functionality to websites or to ensure they work more efficiently. Our site relies on cookies to optimize the user experience and ensure the sites services function properly. You can set their browser to refuse some or all the browser cookies, but if you disable or refuse cookies, some parts of our Website may not be accessible or function properly. We use web analytical software including Google Analytics in order to understand the usage of our service and improve the user experience. This applies to both pages where you are signed in to our service and pages where you are not signed in. We do not share any personal information with these analytics tools. All of our activity falls within the bounds of the Google Analytics Terms of Service. For more information on how Google Analytics collects and processes data, please visit ‘How Google uses data when you use our partners‘. You may opt out of Google Analytics by visiting the Google Analytics opt-out page. We may use third party marketing cookies to help deliver ads relevant to your interests. These include: Facebook – You can learn more about Facebook cookies and how you can control them at https://www.facebook.com/policies/cookies/ Google/Youtube – You can learn more about Google cookies and how you can control them at https://policies.google.com/technologies/cookies Hubspot – You can learn more about Hubspot cookies and how you can control them at https://legal.hubspot.com/cookie-policy Most web browsers allow some control to restrict or block cookies through the browser settings, however if you disable cookies you may find this affects your ability to use certain parts of our website or services. For more information about cookies please visit https://www.aboutcookies.org. CAN-SPAM Act of 2003 The CAN-SPAM Act establishes requirements for commercial messages, gives recipients the right to have businesses stop emailing them, and spells out penalties for violations. Per the CAN-SPAM Act, we will: not use false or misleading subjects or email addresses; identify the email message as an advertisement in some reasonable way; include the physical address of DemandMatrix, Inc. which is DemandMatrix, Inc. 10373 Menhart Ln, Cupertino, CA-95014, USA; monitor third-party email marketing services for compliance, if one is used; honor opt-out/unsubscribe requests quickly; and give an “opt-out” or “unsubscribe” option. If you wish to opt-out of email marketing, follow the instructions at the bottom of each email or contact us at privacy@demandmatrix.com and we will promptly remove you from all future marketing correspondences. Modifications to our Privacy Policy DemandMatrix, Inc. reserves the right, at its sole discretion, to change or modify this Privacy Policy at any time. In the event that we modify this Privacy Policy, such modifications shall be binding on you only upon your acceptance of the modified Privacy Policy. We will inform you about our modifications on our Privacy Policy via email, on our Website by posting a modified version of the Privacy Policy page, or by comparable means within a reasonable time. Contact Us To ask questions or comment about this Privacy Policy and our privacy practices, contact us at: Point of Contact: Nischal Vohra Email: privacy@demandmatrix.com Address: DemandMatrix Inc, 10373 Menhart ln, Cupertino, CA-95014, USA PLEASE NOTE: IF YOU USE OUR WEBSITE OR PLATFORM, YOU HAVE AGREED TO AND ACCEPTED THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY AND THE TERMS AND CONDITIONS SET FORTH IN OUR TERMS OF USE, AS APPLICABLE. IF YOU DO NOT AGREE WITH THE TERMS OF THIS PRIVACY POLICY, PLEASE DO NOT USE OUR WEBSITE OR PLATFORM.